Differences between revisions 1 and 24 (spanning 23 versions)
Revision 1 as of 2022-11-16 07:48:10
Size: 203
Editor: localhost
Comment:
Revision 24 as of 2022-11-17 09:05:38
Size: 1849
Editor: localhost
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Describe désert/workarea/2022-11-16 here.
根据要求修改RHEL/CentOS Linux 6-7中的用户策略

<<TableOfContents()>>

= Step 1: 备份etc目录 =
执行修改操作之前, 建议备份/etc相关文件.

tar -zcvf etc_$(date +%F).tar.gz /etc/
Line 4: Line 12:
= Step 1: 备份etc目录配制 =
tar -zcvf etc$(date +%F).tar.gz /etc/		 = Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数 =

{{{
sed -i '/pam_pwquality/s#password#\#password#g' /etc/pam.d/system-auth

cat >> /etc/pam.d/system-auth <<EOF
### $(date +%F) added ###
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-4 ocredit=-1 enforce_for_root
password required pam_unix.so use_authtok nullok md5
EOF

}}}

= Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数 =

{{{

cat >> /etc/pam.d/login <<EOF
### $(date +%F) added ###
auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300
auth required pam_env.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_limits.so
session required pam_unix.so
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
EOF

}}}

= Step 4: 查看配制文件 =

cat /etc/pam.d/system-auth

cat /etc/pam.d/login

= Step 5: 验证配制结果 =

== 修改用户密码 ==
预期结果: 密码需要满足复杂性要求,否则无法设置或修改用户密码

~# passwd root

~# passwd OTHER-USERNAME
Line 8: Line 61:
= Step 2: 修改/etc/pam.d目录中的system-auto文件为指定的参数 = == 从显示器或远程(KVM/CONSOLE)控制台登录 ==
预期结果: 使用root用户从LOCAL登录,尝试失败超过5次之后root用户锁定, 并在5分钟之后自动恢复为可登录状态.

= References =
 * man pam_tally2
 * man pam_pwquality

根据要求修改RHEL/CentOS Linux 6-7中的用户策略

Contents

  1. Step 1: 备份etc目录
  2. Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数
  3. Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数
  4. Step 4: 查看配制文件
  5. Step 5: 验证配制结果
    1. 修改用户密码
    2. 从显示器或远程(KVM/CONSOLE)控制台登录
  6. References

Step 1: 备份etc目录

执行修改操作之前, 建议备份/etc相关文件.

tar -zcvf etc_$(date +%F).tar.gz /etc/

Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数

sed -i '/pam_pwquality/s#password#\#password#g' /etc/pam.d/system-auth

cat >> /etc/pam.d/system-auth <<EOF
### $(date +%F) added ###
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-4 ocredit=-1 enforce_for_root
password  required pam_unix.so use_authtok nullok md5
EOF

Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数

cat >> /etc/pam.d/login <<EOF
### $(date +%F) added ###
auth     required       pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300
auth     required       pam_env.so
auth     required       pam_unix.so
auth     required       pam_nologin.so
account  required       pam_unix.so
password required       pam_unix.so
session  required       pam_limits.so
session  required       pam_unix.so
session  required       pam_lastlog.so nowtmp
session  optional       pam_mail.so standard
EOF

Step 4: 查看配制文件

cat /etc/pam.d/system-auth

cat /etc/pam.d/login

Step 5: 验证配制结果

修改用户密码

预期结果: 密码需要满足复杂性要求,否则无法设置或修改用户密码

~# passwd root

~# passwd OTHER-USERNAME

从显示器或远程(KVM/CONSOLE)控制台登录

预期结果: 使用root用户从LOCAL登录,尝试失败超过5次之后root用户锁定, 并在5分钟之后自动恢复为可登录状态.

References

  • man pam_tally2
  • man pam_pwquality

désert/workarea/2022-11-16 (last edited 2022-11-17 09:32:05 by localhost)